cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

authelia: configure oidc and use it for immich

Browse source
This commit is contained in:
cy 2025-04-02 10:13:51 -04:00
parent 026abe5123
commit 7653df7715
Signed by: cy
SSH key fingerprint: SHA256:o/geVWV4om1QhUSkKvDQeW/eAihwnjyXkqMwrVdbuts
2 changed files with 27 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

23
modules/authelia.nix
View file

@ -46,11 +46,32 @@ in
}]; }];
storage.local.path = "${varPath}/db.sqlite3"; storage.local.path = "${varPath}/db.sqlite3";
notifier.filesystem.filename = "${varPath}/notifications.txt"; notifier.filesystem.filename = "${varPath}/notifications.txt";
webauthn = {
enable_passkey_login = true;
};
identity_providers.oidc.clients = [
{
client_id = "immich";
client_name = "immich";
client_secret = "$argon2id$v=19$m=65536,t=3,p=4$Vny2G8EbSPafSwnIuq2Zkg$eF2om4WDEaqCFmrAG27h2mYl+cXxXyttPJ7gaPLs+f8";
public = false;
authorization_policy = "two_factor";
redirect_uris = [
"https://photos.cy7.sh/auth/login"
"https://photos.cy7.sh/user-settings"
"app.immich:///oauth-callback"
];
scopes = [ "openid" "profile" "email" ];
userinfo_signed_response_alg = "none";
}
];
}; };
secrets = { secrets = {
sessionSecretFile = getSecret "authelia/session"; sessionSecretFile = getSecret "authelia/session";
storageEncryptionKeyFile = getSecret "authelia/storage"; storageEncryptionKeyFile = getSecret "authelia/storage";
jwtSecretFile = getSecret "authelia/jwt"; jwtSecretFile = getSecret "authelia/jwt";
oidcHmacSecretFile = getSecret "authelia/hmac";
oidcIssuerPrivateKeyFile = getSecret "authelia/oidc_private";
}; };
}; };
@ -58,6 +79,8 @@ in
"authelia/jwt" = sopsConfig; "authelia/jwt" = sopsConfig;
"authelia/storage" = sopsConfig; "authelia/storage" = sopsConfig;
"authelia/session" = sopsConfig; "authelia/session" = sopsConfig;
"authelia/hmac" = sopsConfig;
"authelia/oidc_private" = sopsConfig;
}; };
services.caddy.virtualHosts.${domain}.extraConfig = '' services.caddy.virtualHosts.${domain}.extraConfig = ''

6
secrets/services/authelia.yaml
View file

@ -2,6 +2,8 @@ authelia:
jwt: ENC[AES256_GCM,data:L20XZt1eYz1srY+xIliasq4x2guxNIUOM4mVTPe/1uS2wQY6h1uY9n7yoMQ=,iv:OhTuutHQOVLG/CjX3m839Acw9eq/Yh3Iy947km1jalQ=,tag:nq/lwsfGSzeH6RsXLzr24g==,type:str] jwt: ENC[AES256_GCM,data:L20XZt1eYz1srY+xIliasq4x2guxNIUOM4mVTPe/1uS2wQY6h1uY9n7yoMQ=,iv:OhTuutHQOVLG/CjX3m839Acw9eq/Yh3Iy947km1jalQ=,tag:nq/lwsfGSzeH6RsXLzr24g==,type:str]
storage: ENC[AES256_GCM,data:RW15TzoZifv0xrVAfrM7yFXv1ISp7v1c20PL4nGkQrXwjablPKQa5IZ0Fvg=,iv:YQ7+2h4O0Qx9BqnFU7WMaZuPtKU4BUo56/KPq2NQYxI=,tag:LQ8gWhf9rblGkN5bhPHPIQ==,type:str] storage: ENC[AES256_GCM,data:RW15TzoZifv0xrVAfrM7yFXv1ISp7v1c20PL4nGkQrXwjablPKQa5IZ0Fvg=,iv:YQ7+2h4O0Qx9BqnFU7WMaZuPtKU4BUo56/KPq2NQYxI=,tag:LQ8gWhf9rblGkN5bhPHPIQ==,type:str]
session: ENC[AES256_GCM,data:fJY4uSKRIcHDyDqndT9YiolOX1HDw2BphoaZONAv8AhdPV+aG5qj9Ppy3Rw=,iv:dcFZyIdZQQlyAORudsUCCD2wx4Sc7NF0dh/v/M6iYko=,tag:vBYU58mL7DecMqhX/TUdVg==,type:str] session: ENC[AES256_GCM,data:fJY4uSKRIcHDyDqndT9YiolOX1HDw2BphoaZONAv8AhdPV+aG5qj9Ppy3Rw=,iv:dcFZyIdZQQlyAORudsUCCD2wx4Sc7NF0dh/v/M6iYko=,tag:vBYU58mL7DecMqhX/TUdVg==,type:str]
hmac: ENC[AES256_GCM,data:K/qiyibBlu9wNh9IINHgYQiEZMromSA9Kf0iRVHPVuuhhUBZRyyfFyd4sLYNDLWvYKRJGnTBniIscQuBR+HU3/ttFGN0EkDsuAXlW3tKyLSxTiVgEvsKhA==,iv:2femAZUtSE9DjopiRIRT3Be3T2Qi0J+b8TaNJZ9vcjw=,tag:Sb7TT+1uxtStv20oM8oa8A==,type:str]
oidc_private: ENC[AES256_GCM,data:dzrykbgRk77yDbrnayTzSyiAjvgr5RUuDG046azumPinHL9wBaKpNdx6CqY7o+W95yOyVr/Xriw/aBbSyCZE8RoMchZhnS5Z8moHrIK7RryRM/BmEpOfyFLf9kpaO5QqSGyPt13yJQSA/3TwoXD4et3rVEdEz8mwb+vIA+G3WIZrNY+95KNjhwu9W648eouGBqJFfwTw0tm8mHsu+VZE8OYdp+ujSlKWZcVDEzgMEe+egXbvSB/3sk82HjolcqCmDx+U1TWMZfZdZPaT4RxONy+4kgGDW4FOqtsgctS2uRUQ2CLuRLD8xIulBO/VbsnNuticiM86BYygobq3RUdCKAFLUpcXqNWgnDBvnYPcF6mXPTmFCD3Gr2t4uRkqIIPc3NrW6DKnSO4pu4oVlUiSd9XaHGvAuo0yR7zcG7Zl4BAzhZa1HuVq6QmSNMf1TAo5P5zBc/NKlUVUhgIEKmRkwf95ZDyph1CJJagTsRZp/D4n6gbuzmV2Pjd8GxT6X+GOK7MQ3hPWsQP8+hhf8DArnVa988Z5cVxG3CQS6wEdEfc8yoHXlXwsB6iHjG4GooJk17GkP0YnMqOkv5Y9QbWXGNN/Zce6LJrSdvpd1Z8oWHxFB9ChFEA34tTYE/1wv0C71K6VRADnshBTyg0i+7GxvW0iyplWGEB2/DRv9WbpmIze1vff0KPlwvmdPXvZM7kfJE6uRP+DH5kJeIlKezA+hwuZmTLEu8kTdIkIJVfbzuOmXtX1yO+sQmSs6anqbSBuw5dpKYFFtQ04V+P27uTdi6lbUUfaBiHMhiW2A8aj/1Xf+pOV5oIN1c7PXNhAGrsNbmumQ7mBmbfOZeLC2aze5iKLSu5xqCzMNEWdlxXkmK+eEuUgDAQgW0pRAA12wvAFT8cf5BIeEPQQF4gPJprrQ3u93AXCVXve/TPC6rSEb+uCVq30JRGvIciFAEPWjhtSSO2Mh2zxjaALXVRE456k8DQq5mvovCp003EW23Io+lKDfg73n4LLZvbpHBVa3SQY0YMazjynJTo6UcDT3J/u9kNutIRjszzohMdW4jmykawPb/FFGv4yaX199bkTT/6/ztygaUTUTtWrl40p61lMzFHsz1qPy/5Bp4fxOYk6mLHpUFBpXUlu90ZxiReu6fX9HR6oQ1OC6MmpYjvcvxOAfIszgoMmp0LABJ1XN7DMOxpRrjNqW071xnel2/NzYy/gx0r2SdusxFJckGjrnyVzjEBVFwdpc9lZ+NdyzbNaElt/duk5AhdQ/iTCDlQpFsBhcl83Sbt38P/QlsOCPvRYuOz3vvOgeRprZn4hXuvGpQKJZEy+/rHDFijVABgbqLBxhfQiCpFmfwqQrcI+vFnPBGHP96p8S7xg5Dh2007QyFk9D2zHDHY6E+Iv27UkjaCZI29IAEdBe86IMtLI7Pl0q6XE44cHwD+QqzS55YlPj/F3va9LesoylPzBJwlxogciolfBQfQjLp4OF1rBSpy1Xy/Es7+M9eEsdatX1a3qFzYCJbC8+no5ol0PaIHx4ejH9aeoIiVfq/yXtzV04pJQz0bZfpfKVwtroyHhclEsP9pZVHnnexIFY1xqVF76V0kbusiizhru5ldOWE7smwXD5+KyMCTfDuxPnEjFBZLb/BLjo46sugJTAGQJhBBWJY+h7Je5PP+FnjQG28h4n4NMshhPfnyDEAZWNpDAHi08KhHOGzbNhPl+E+pNrNoNwmJjWbiqZ+P9LVQf1s5C+UrL+uV6qpeVKcm9tjy75fgVTD4iRXb4ejQIWlwO2EVLBzI9BXYsVmly6z0C+8f3wDPswwwocna9SonBus1QGudZ8cLSihZqSYmq6fCIFqfXTlCj3H0aOBNbX7dCYrles/y6jtn0VebQa3UEflXs+4WytpXdKEelN5f1PoJVnjrRF6Wtyq23GNbo1M9BTBQfpUf5x7QnZrxyIVbgvHq3JSR6/5p6yv6SGOdypCEqMtvnw9+bJMi6bxy55tXQNNpBB/GHWPqzOE9//9pqazJzikL/x7HWg/t+tJ7yV7MCFV6Bk2cy77j7i0fftxfHqjF7MRbnIaJRqxiTqp0z2rA4L797Que6a903b/u/AStMnsm8sE9gRy7P5L/PafqpgA/kK2FIxbDDP91cnvikRi2u+oaydHLhCkaq20SIupBCbgyDVkOXZ9n5EnKJDjFOAbOQ2UiXYrQPXDEMPLLUklBeLzQBHY4ZTQ7zzMb1tqvo4UqaHVnw2FwY+PoX2IPmF1ciccFO5uHX2w2qz8Hx0ZCPa9AsR/3HhKAg9sdg0cF0k3nXqTWCSs8j+9vpJxjCmrN1bXwoRA8K/ICYDoOtjb76c1B/Ahvc2YA7OULcM0EAzsQ2Z++cU/OCIcQatxzEx+TOp5i1yN2YnCFHqDBpE1UB2UbxBCYb+oEEBqB9qeFkQI6eZmvHASjdasXUtvnBYNCc3nliGfODoOXKLmzHQZJVPguWFu7b06zWA7fy3qGMjf7h/RhKbfkL9o7HkAvHTSh0+Lpc8gjPVu+sqLNUMyk3196LJWUI3nf7L3kUxkdSBdsJ/18FZ97OzC3Ws9dhhWe02ry3Y2ptRnIlLf8f4Y/P6FpqwR8Asa6NYBq+LKNSuWfzo4ZynkPt4irAm0LDOnZzbrRbQTB7tUHIA1dZMMWueIe22mUDOzTGDPuFSfF31rYbh2rmc3Tjvkumz6g53kdCV4QnL04htkMwql4KvpMCrkkMxDRlOTf1Xh10QrO49aPd29i7LbFjorGj1872hXszPDpmdDN78VApvMzVue8dKdhlz/x/9aCJnp9oEEgdObEg2OYyc29bqd9kbCOs5F4vaI4YdMrN9QKTqjAVG0kQAKH41Q7VCe0/jPWmGpH4Kd40RQ6/NY5g312D3RKV3V30DlCOIm+w1z7XzV2EWTgb5vgg4EbYyVmh3Y7wBguv2qOqzwhGMFrWGx+fTFAe5Zq8TVwvQUfeN/vFlYz+jc8ysKBbyrrAl4vKm2pz9Geu3Rh4AfRRmxawNjE/qlrTk6sWdWNJu7i2Wgk1C2+1FZeAprPg6EsZj7rFEGOFvZIjWrTi7n+IHI+8rRKDo3J5SkAsxiDaDo8dfvGecPp9ig5l9+OiN68t29HxfGnhJsk5eim/vkuA5mdFJW0cy7h3gtP1Z0PtRYsRoBO+hPp7dcYhhh9NqkP4LbVI8graz5FEf0yMmaA6ci7xgBWe/zOa0V539Y9cWzTK5zE2wrWI+mHKsbgUH9s+7y0tTVk9mPaNKhih1MHgCQiFyctQLzVnd6fXnv7JHzkkIY7AQiCjEZ4QPUrj99rDh0bikDtKX0hAiVedGMJQ664Hhyd3sWVGfrC/Qmob+4LhpE24kAxIRf94d2cB1zRFQ02HMGkbVUbge8SPNqqq/HoWkYvNo/ltdL0Nr5Qb1OmY0LP5txGh8cCQt8SD3K/ww+ZjD0ZbqqTwIaND9reyzXL0ryf8yNkiPCTpFiNmdL1rtHw+E2s9HtdngCz9XuGW5GRa4cL5xY1Yt4WBLEnxXwmyB/EOjBIeO4aJuwAcssL3UrvS/IEERWN4XrqVM4O81ainLaXeze1jj9VJcMb+/qz8dMdgm4WGkKfbbJeIsFCrlHOJ0CFNZZmijMvkoTvZ9WTq2OpxxZdsci1UmItlU60LETfWTUK8Q3YOo+c+fukIMPv68NLQH1LsiYjFXo9yDdzfD990uI5wdwnR3S3Sx6Vp04SkzJX7BAZ2UuL0wJ564Ny4S9Ew5BfWucd70mfQaEzOl52M9mqCyJYDfMYhd65YxkAEAV1dMg3FBlpZmOr2wtEQqXz+25cSPCNwQ/obCQt12cLNGRhyNi1Stz2E67Q9sesmssF7dgq0u/TeLezzVxTk13sJj6PzMtdpOYDwsgZJdh9hz8PZ32nJMTJnlkq6zcTYsbq23+HreCx1dHJJEDjpqZlttMYqLZ8mLLob25PzFaue164MbqozFtNTOc8eeOD+hoPCP/hfPoKoNi7oARs0fvwOwCQEug0XpMcz9mF/85ZBxYuDUBEP1vpbD9MpP/ECslqGdHuJePEFiiJOrDVggpaGcgWUfS2jwWv/46Bbz+W9QH+6Y8IevMf+lXPOL294g5VOoOW5k77naeNNCbycbijFD76gR5DtA+Vn+B6pxzF7l4E4VqC0Vlc1OUvYA7GLZ4rzb4bH4cEZiIb2/skDhJOmcb2btPWKRgutbmpHmi59eVbVkKUAKXm/WBw8xLwt2sLBS5r5R7aAZpMu/NaXFTfBEBGUzrH1u8Pfz3FwRK7v0QEyzhu2bS2JkGxSsaxD5+geQlvzN8eRYW4+pst/CfcCxTES9spBnqSWIX++rs8f9/mECf4jXzZQDv0fdbGILAU=,iv:GTKiBIir9+G3Lh45x77KARxi7paEsGP1m0qVldRnuOw=,tag:eCsjDzyO1g2HvnDhR/Gb4w==,type:str]
sops: sops:
age: age:
- recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8 - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
@ -31,7 +33,7 @@ sops:
b2pGTmJva2VnOFZlRWxlOW5wMitDUkkKrZyzpch6jTSsumseBEaN8xQXfng4P7ds b2pGTmJva2VnOFZlRWxlOW5wMitDUkkKrZyzpch6jTSsumseBEaN8xQXfng4P7ds
JSoock3sEmL4NSfxXSu+PP8kEOXFtu1yAcmSSeVDDhV7jiwE4egu2Q== JSoock3sEmL4NSfxXSu+PP8kEOXFtu1yAcmSSeVDDhV7jiwE4egu2Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-02T06:02:29Z" lastmodified: "2025-04-02T14:06:11Z"
mac: ENC[AES256_GCM,data:F/nZqGBLsjLqocmtQCShAEDK79pEwZRVXw1ZNd6Rr2I6fewF2j3XAM5Zk9oRyI1jeD6lnKcWaYVx7dYFbcstlmTUZ2farIYZ6G/ylBMQxNP9mom+wWPz9oCwd5qBF5YrI0PtO6dFD7XXcUlWcWlPheuJ035XGp53rtNmvy1LVW0=,iv:+iWhVLm+KSLMb42n5d2I3JE6AQq/6tbd6LHd2nyUKfI=,tag:+oclIvtaG1s3SVLqbDiNwQ==,type:str] mac: ENC[AES256_GCM,data:wK8Nb1Vb80UfolzqZOpifZdoEKYu847anowYiCdSluoK+dfHhDhCj7ZxznYV7SwVACIoLsqLR5syRzC861PRBrAujkhbcn7lTc1kQRCjw0gMAbPYR/xiO76EHmiYqnV2UMN0EmuQg1nIRIWY9EO9C7m1b9fjoZFgDsj/7O99aVU=,iv:CJxUKpyNgEYwqLhSvuXoHb+Hu3M7ydKh0WlsjlOtKkM=,tag:4KXmNwwFrqvBjxe656Jvug==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.1 version: 3.10.1